Open
Conversation
* feat: introduce analyzer interface and domain models * feat: implement code analyzer with plugin infrastructure * feat: add security rules * feat: implement configuration management * feat: add core analyzer engine and runner * feat: implement reporters * refactor: migrate CLI commands to new architecture * refactor: update main entry point * refactor: remove legacy security_analyzer module * chore: update dependencies and example configuration * chore: remove obsolete test files * docs: add project context and architecture documentation * refactor(core): cleanup ShieldRunner and reporter selection * feat(analyzer): implement code scanning and issue mapping * fix(analyzer): update analyzer result DTO structure * feat(secrets): implement advanced secret scanning with Gitleaks rules (#18) * feat(core): implement structured error handling system * fix(analyzer): fix secret scanner keyword matching case sensitivity * test: add unit tests for core/config/rules and E2E integration test * feat!: replace gitbook with docs.page (#19) * feat!: replace gitbook with docs.page * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * docs: basic structure * feat: stability improvements (#20) * chore: add test dependencies for analysis rules Add analyzer_testing and test_reflective_loader packages to enable proper unit testing of analysis rules using the official Dart testing framework. * test: add unit tests for all 5 analysis rules Add comprehensive unit tests for security rules using analyzer_testing: - prefer_https_over_http: 11 tests - avoid_hardcoded_urls: 10 tests - avoid_weak_hashing: 8 tests - prefer_secure_random: 7 tests - avoid_hardcoded_secrets: 11 tests Total: 47 new tests covering positive and negative cases. * ci: add tests and code coverage to CI pipeline - Add dart test step to run unit tests on every PR - Add coverage generation and upload to Codecov - Add separate integration test job - Configure codecov.yml with coverage thresholds (70% project, 80% patch) * docs: fix configuration documentation inconsistency Update README and example to correctly document analysis_options.yaml as the configuration file with dart_shield: key, replacing incorrect references to shield_options.yaml. - Add coverage badge to README - Simplify configuration documentation - Update example/analysis_options.yaml to use correct format * feat: add severity metadata and filtering to rules - Create rule_metadata.dart with severity levels and OWASP/CWE refs - Map rule IDs to proper severity (high/medium/low/info) - Add --min-severity flag to analyze command for filtering - Update shield_runner to filter results by minimum severity Severity assignments: - avoid_hardcoded_secrets: high (CWE-798) - prefer_https_over_http: high (CWE-319) - avoid_weak_hashing: medium (CWE-328) - prefer_secure_random: medium (CWE-330) - avoid_hardcoded_urls: low (CWE-547) * chore: update ignore files and clean up tracked files - Add pubspec.lock to .gitignore (not needed for packages) - Add internal docs to .gitignore (GEMINI.md, ROADMAP.md, etc.) - Update .pubignore with test/, tool/, codecov.yml, docs.json - Remove pubspec.lock files from git tracking - Remove internal planning documents from git tracking * style: apply dart format to codebase Run dart format to ensure consistent code style across the project. * ci: raise Dart SDK version * style: formatting * style: formatting * ci: update test suite
|
To view this pull requests documentation preview, visit the following URL: docs.page/yardexx/dart_shield~23 Documentation is deployed and generated using docs.page. |
* feat: add SARIF output reporter for GitHub Security integration - Add modular SARIF module (sarif_document, sarif_builder, sarif_reporter) - Map dart_shield severity levels to SARIF levels (high->error, medium->warning, low/info->note) - Support --reporter=sarif CLI option - Add comprehensive tests (29 tests for SARIF module) - Add GitHub Actions integration documentation This enables: - GitHub Security tab integration - PR annotations showing security issues inline - Tracking security issues over time * chore: remove plan files from tracking * refactor: use json_serializable for SARIF models - Split SARIF models into separate files following SARIF 2.1.0 spec - Added json_serializable with explicitToJson for proper nested serialization - Models: SarifDocument, SarifRun, SarifTool, SarifDriver, SarifRule, SarifResult, SarifLocation, SarifPhysicalLocation, SarifRegion, SarifArtifactLocation, SarifMessage, SarifLevel - Updated tests to use new model structure * refactor: extract SARIF into independent local package - Created packages/sarif/ as standalone Dart package - Moved SARIF models and builder to the new package - dart_shield now depends on local sarif package via path - SarifReporter remains in dart_shield as thin adapter - Package can be published separately in the future * chore: configure sarif as workspace package and update dependencies - Add workspace configuration for packages/sarif - Update analyzer to ^10.0.2 and analyzer_plugin to ^0.14.2 - Configure sarif package with resolution: workspace and publish_to: none - Align SDK constraints and update json_serializable to ^6.10.0 * refactor: reorganize utils and simplify SARIF reporter - Move utility files from analyzers/utils/ to src/utils/ - Flatten SARIF reporter to reporters/sarif_reporter.dart - Add Pubspec utility for reading version from pubspec.yaml - Simplify SarifBuilder.buildJson() by removing pretty parameter - Refactor SarifReporter to use functional chain pattern * chore(sarif): enable package publishing * docs: add comprehensive documentation to ShieldRunner Document the main orchestrator class with: - Class-level overview of the 7-step analysis pipeline - Example usage snippet - Constructor and method documentation - Exit code explanations for CI/CD integration * chore: add TODO for configuration management refactoring
* feat: add SARIF output reporter for GitHub Security integration - Add modular SARIF module (sarif_document, sarif_builder, sarif_reporter) - Map dart_shield severity levels to SARIF levels (high->error, medium->warning, low/info->note) - Support --reporter=sarif CLI option - Add comprehensive tests (29 tests for SARIF module) - Add GitHub Actions integration documentation This enables: - GitHub Security tab integration - PR annotations showing security issues inline - Tracking security issues over time * feat: add baseline file support for gradual adoption - Add BaselineManager for creating and loading baseline files - Add `dart_shield baseline` command to create baseline from current issues - Add `--baseline` option to analyze command to filter baselined issues - Fingerprints are MD5 hashes of (ruleId:filePath:line) - Baseline files are human-readable YAML format - Add comprehensive tests (12 tests for baseline manager) This enables teams to adopt dart_shield in existing projects without being overwhelmed by legacy issues. * refactor: change default baseline path to .dart_tool/ - Default baseline now writes to .dart_tool/dart_shield_baseline.yaml - Follows Dart conventions for tool-generated files - --output/-o option still allows custom paths - Ensures parent directory is created if it doesn't exist * refactor: use dart_shield subdirectory for baseline Default path is now .dart_tool/dart_shield/baseline.yaml * refactor: extract BaselineEntry to separate file Split baseline_manager.dart to follow one-class-per-file convention. Sealed classes and their implementations remain grouped by design. * chore: remove plan files from tracking
Add the _filterBaselined method that was being called but never defined, causing a compilation error. The method uses BaselineManager to filter out issues already recorded in the baseline file.
* feat: add 3 Flutter-specific security rules - avoid_insecure_webview_settings: detects unrestricted JavaScript mode in WebViews - avoid_unvalidated_deep_link: warns about unvalidated deep link parameters - avoid_webview_javascript_bridge: detects potentially sensitive JavaScript channels * test: add tests for Flutter-specific security rules Add comprehensive tests for the 3 Flutter-specific rules: - avoid_insecure_webview_settings: 7 tests - avoid_unvalidated_deep_link: 8 tests - avoid_webview_javascript_bridge: 12 tests
* feat: add 6 new security rules New rules: - avoid_empty_catch: Detects empty catch blocks (CWE-390) - avoid_logging_sensitive_data: Detects logging of sensitive variables (CWE-532) - avoid_certificate_pinning_bypass: Detects SSL bypass patterns (CWE-295) - avoid_dynamic_sql_queries: Detects SQL injection risks (CWE-89) - avoid_shared_preferences_for_secrets: Detects unencrypted secret storage (CWE-312) - avoid_insecure_file_storage: Detects sensitive file writes (CWE-922) Total rules: 11 (5 existing + 6 new) * test: add comprehensive tests for new security rules Tests added for: - avoid_empty_catch: 19 tests covering empty/non-empty catch blocks - avoid_dynamic_sql_queries: 16 tests for SQL injection detection - avoid_logging_sensitive_data: 20 tests for logging sensitive vars - avoid_certificate_pinning_bypass: 11 tests for SSL bypass detection - avoid_insecure_file_storage: 14 tests for sensitive file names - avoid_shared_preferences_for_secrets: 14 tests for unencrypted storage Also fixed avoid_empty_catch rule to handle AwaitExpression. Total: 90 new tests
Welcome to Codecov 🎉Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests. Thanks for integrating Codecov - We've got you covered ☂️ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Status
IN DEVELOPMENT
Description
Type of Change